By TOM ZELLER Jr.
In one of the largest breaches of data security to date,
CitiFinancial, the consumer finance subsidiary of Citigroup, announced
yesterday that a box of computer tapes containing information on 3.9
million customers was lost by United Parcel Service last month, while
in transit to a credit reporting agency.
Executives at Citigroup said the tapes were picked up by U.P.S. early
in May and had not been seen since.
The tapes contained names, addresses, Social Security numbers,
account numbers, payment histories and other details on small
personal loans made to millions of customers through CitiFinancial's
network of more than 1,800 lending branches, or through retailers
whose product financing was handled by CitiFinancial's retail
The company said there was no indication that the tapes had been
stolen or that any of the data in them had been compromised.
It was, however, the latest in a series of recent data-security
failures involving nearly every kind of institution that compiles
personal information -- ranging from data brokers like ChoicePoint and
LexisNexis to financial institutions like Bank of America and Wachovia
to the media giant Time Warner to universities like Boston College and
the University of California, Berkeley.
All these institutions have reported data breaches in the last five
months, affecting millions of individuals and spurring Congressional
hearings and numerous bills aimed at improving security in the
handling of sensitive consumer information. The fear is that Social
Security numbers, when combined with a consumer's name, address and
date of birth, can be used by thieves to open new lines of credit,
secure loans and otherwise steal someone's identity.
Whether the recently reported breaches indicate an epidemic of data
loss is unclear. Many privacy and security advocates have suggested
that a California law, requiring that consumers be notified of data
security breaches, has led to more confessions of data losses and
increased awareness of a longstanding problem.
[TELECOM Digest Editor's Note: I'll tell you the latest thing the
phishers are doing: A phisher dressed up like a UPS delivery man
or Federal Express person shows up at the company to get the daily
shipment to the credit bureaus (yes, it is a _daily_ transfer). The
person of course has no connection to the delivery service; he just
does what is called 'reverse engineering' or 'social engineering' on
the bank employees responsible for making the transfer of the tapes.
A variation on this happened a number of years ago when two guys
dressed as postal employees showed up at the Amoco Oil Company
credit card office in the (presumably secure) area where new plastics
were issued and mailed out to new customers. Because Amoco had been
tipped off the day before that this was going to happen, they were
able to prevent it with FBI guys on hand to arrest the pair who were
posing as postal workers coming to get the daily output of fresh
cards to go in the mail. I am surprised the phishers have not thought
of this before: rather than one by one trying to trick information
out of people, instead trick the relative handful of people in
charge of data transfer between bank and credit bureau. PAT]